Basic Server Security: Auditing And Managing Running Services
Welcome back to our series on basic server security. So far we’ve looked at the reasons why your server needs to be secured, how to use your firewall, monitoring and intrusion detection tools that can help with this, and also why you need to use multiple user accounts with your server. In this article we’ll be looking at auditing and managing your running services and why this is important to your server’s security.
What kind of services?
Let’s start by looking at what we mean by services. A service is a piece of software that runs in the background and performs long-running tasks on your computer. When it comes to servers, your commonly run services will be areas like your web server software, such as Apache or Nginx, email servers like Dovecot and Exim, and management services such as SSH or Microsoft Terminal Services. For the most part, these services run on a server all the time and handle connections from the internet for use.
When an attacker is attempting to compromise a target server, the first thing they will do is scan the server to see what services are running and are available to be used. Once they have identified the services that are running, they’ll then start working through known bugs in those services to gain access and control of the server. Unfortunately, despite best efforts by developers, software bugs do occur, and in some cases these bugs can have pretty severe consequences.
Risk vs. Reward
To minimize this risk you need to have as few services accessible from the internet as possible. Often a default server installation of a Linux distribution can come with a number of “useful” services running, a number of which may not be used in your use case. So the first thing you need to do is get an overall idea of the services that you have installed and running on your server.
Windows Services
On Microsoft Windows servers there is a Services panel in the Administration tools that makes it easy to see the installed services and then enable or disable them. In general, we’d recommend setting unused services to require a manual start. This means they are easily started in the event that there are problems with another service once you stop one. If there are no problems, you can later fully disable them.
Linux Services
On older Linux systems that don’t use systemd, you can use the command “service –status-all” to list the installed services. Unfortunately it’s not the simplest tool to use, but services that are running show with a plus symbol “+”, services it can’t get a status from show a question mark “?” and services that aren’t should show a minus symbol “-“. This can show services in the list that aren’t installed or enabled but provides a good starting point to work from. On more modern Linux systems using systemd for service management you can get a list of your services using the “systemctl list-units –type service” command.
Disabling Services
It’s worth spending some time researching the running services before disabling them as some are needed for the system to run properly even if you don’t know what they are. Once you are satisfied that a service is safe to be disabled, then (on an older system that doesn’t use systemd) you can use the following command to disable a service:
sudo chkconfig <service> off
In this instance, replace “<service>” with the name of the service you want to disable. To re-enable it, replace the ‘off’ with ‘on’.
For modern systems using systemd you can use:
sudo systemctl disable <service>
Again, replace “<service>” with the name of the service. To re-enable the service later, replace disable with enable.
This task can take some time to get configured correctly. Once this is done, however, you can then go a step further and configure your monitoring to watch the running services and alert on changes such as unexpected services starting.